// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package setting

import (
	"time"

	"code.gitea.io/gitea/modules/log"
)

// CORSConfig defines CORS settings
var CORSConfig = struct {
	Enabled          bool
	AllowDomain      []string // FIXME: this option is from legacy code, it actually works as "AllowedOrigins". When refactoring in the future, the config option should also be renamed together.
	Methods          []string
	MaxAge           time.Duration
	AllowCredentials bool
	Headers          []string
	XFrameOptions    string // deprecated

	// 使用 Content-Security-Policy 请求头代替过时的 X-Frame-Options
	// ref = https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Security-Policy
	ContentSecurityPolicy string
}{
	AllowDomain: []string{"*"},
	Methods:     []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
	Headers:     []string{"Content-Type", "User-Agent"},
	MaxAge:      10 * time.Minute,

	// 默认只支持运行 Gitea最小限度，如需定制需要修改 app.ini
	ContentSecurityPolicy: "default-src 'self' data: 'unsafe-inline' https://mp.weixin.qq.com; img-src * data:",
}

func loadCorsFrom(rootCfg ConfigProvider) {
	mustMapSetting(rootCfg, "cors", &CORSConfig)
	if CORSConfig.Enabled {
		log.Info("CORS Service Enabled")
	}
}
